[vlc-devel] [PACKAGERS] libavformat leak security advisory

Michael Niedermayer michaelni at gmx.at
Tue Jan 19 20:49:35 CET 2016


On Sat, Jan 16, 2016 at 04:13:10PM +0200, Rémi Denis-Courmont wrote:
> tl;dr:
> 1) The libavformat vulnerability affects VLC.
> 2) The FFmpeg 2.8.5 release does NOT address the vulnerability.
> 	Hello,
> As many of you already by now, there is a lot of fuss about an information 
> leak vulnerability in libavformat at the moment. The issue affects both libav 
> and FFmpeg sides of the forked project.
> At the time of writing, fixing efforts have concentrated on the libavformat 
> HLS implementation. Because the root cause of the problem is not in HLS, those 
> efforts have failed. 
> On the one hand, the libav project has one unmerged patch to address the 
> problem. The patch does not address the VLC vulnerability. On the other hand, 
> the FFmpeg project has made a release claiming to fix the problem (2.8.5). The 
> release does not fix the problem.

If you know of a security issue in FFmpeg 2.8.5, please provide details
about that. Iam not aware of a remaining related issue and none
was reported to ffmpeg-security.
Also if you have a patch fixing an issue, as you describe, please
share that patch so we can fix any remaining issue in FFmpeg


Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 1
"Used only once"    - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20160119/9c21897f/attachment.sig>

More information about the vlc-devel mailing list